From 2535ad29c7396252c26316ad91cfb407cd920ba0 Mon Sep 17 00:00:00 2001 From: bsag Date: Sat, 18 Feb 2006 17:52:43 +0000 Subject: [PATCH] Moved the loginhash/salt from the user.preferences to a constant set in config/environment.rb. This keeps it out of the database which is probably a little more secure, and allows upgrading users to set the loginhash to the value that they used before. Updated README_FOR_APP to let people know that they should edit this value before they start using Tracks. Fixes #204. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@187 a4c988fc-2ded-0310-b66e-134b36920a42 --- tracks/app/controllers/login_controller.rb | 2 +- tracks/app/controllers/user_controller.rb | 3 +-- tracks/app/models/user.rb | 6 ++---- tracks/app/views/user/preference_edit_form.rhtml | 1 - tracks/app/views/user/preferences.rhtml | 1 - tracks/config/environment.rb | 5 ++++- tracks/config/environments/development.rb | 3 +-- .../db/migrate/006_add_preferences_to_user_table.rb | 2 +- tracks/doc/README_FOR_APP | 12 ++++++++++++ 9 files changed, 22 insertions(+), 13 deletions(-) diff --git a/tracks/app/controllers/login_controller.rb b/tracks/app/controllers/login_controller.rb index 8d5de33b..f2fb848c 100644 --- a/tracks/app/controllers/login_controller.rb +++ b/tracks/app/controllers/login_controller.rb @@ -55,7 +55,7 @@ class LoginController < ApplicationController if user.save @session['user'] = User.authenticate(user.login, @params['user']['password']) @user = @session['user'] - @user.preferences = { "date_format" => "%d/%m/%Y", "week_starts" => "1", "no_completed" => "5", "staleness_starts" => "7", "due_style" => "1", "admin_email" => "butshesagirl@rousette.org.uk", "loginhash" => "change-me"} + @user.preferences = { "date_format" => "%d/%m/%Y", "week_starts" => "1", "no_completed" => "5", "staleness_starts" => "7", "due_style" => "1", "admin_email" => "butshesagirl@rousette.org.uk"} @user.save flash['notice'] = "Signup successful" redirect_back_or_default :controller => "todo", :action => "list" diff --git a/tracks/app/controllers/user_controller.rb b/tracks/app/controllers/user_controller.rb index fd05e2b0..66ae5910 100644 --- a/tracks/app/controllers/user_controller.rb +++ b/tracks/app/controllers/user_controller.rb @@ -27,8 +27,7 @@ class UserController < ApplicationController "no_completed" => "#{@params['prefs']['no_completed']}", "staleness_starts" => "#{@params['prefs']['staleness_starts']}", "due_style" => "#{@params['prefs']['due_style']}", - "admin_email" => "#{@params['prefs']['admin_email']}", - "loginhash" => "#{@params['prefs']['loginhash']}" + "admin_email" => "#{@params['prefs']['admin_email']}" } if @user.save redirect_to :action => 'preferences' diff --git a/tracks/app/models/user.rb b/tracks/app/models/user.rb index bac1bbd8..8db596e0 100644 --- a/tracks/app/models/user.rb +++ b/tracks/app/models/user.rb @@ -22,10 +22,8 @@ class User < ActiveRecord::Base protected def self.sha1(pass) - # TODO find somewhere else to set the loginhash salt - # This is hard-coded for now, but the user needs to be - # able to set their own somewhere - Digest::SHA1.hexdigest("change-me--#{pass}--") + # SALT is set in RAILS_ROOT/config/environment.rb + Digest::SHA1.hexdigest("#{SALT}--#{pass}--") end before_create :crypt_password diff --git a/tracks/app/views/user/preference_edit_form.rhtml b/tracks/app/views/user/preference_edit_form.rhtml index 2bd323c8..0a112b4f 100644 --- a/tracks/app/views/user/preference_edit_form.rhtml +++ b/tracks/app/views/user/preference_edit_form.rhtml @@ -3,7 +3,6 @@

The preference settings should mostly be self-explanatory, but some hints are included below:

<%= link_to "Edit preferences", :controller => 'user', :action => 'edit_preferences' %> diff --git a/tracks/config/environment.rb b/tracks/config/environment.rb index 811e6618..b63d3d3f 100644 --- a/tracks/config/environment.rb +++ b/tracks/config/environment.rb @@ -48,4 +48,7 @@ end # inflect.uncountable %w( fish sheep ) # end -# Include your application configuration below \ No newline at end of file +# Include your application configuration below +# This is the 'salt' to add to the password before it is encrypted +# You need to change this to something unique for yourself +SALT = "change-me" \ No newline at end of file diff --git a/tracks/config/environments/development.rb b/tracks/config/environments/development.rb index 77a4205d..6cbd08e4 100644 --- a/tracks/config/environments/development.rb +++ b/tracks/config/environments/development.rb @@ -17,5 +17,4 @@ config.action_controller.perform_caching = false config.action_mailer.raise_delivery_errors = false # Unique cookies -ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = "TrackDev" -# ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:tmpdir] = "#{RAILS_ROOT}/tmp" \ No newline at end of file +ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = "TrackDev" \ No newline at end of file diff --git a/tracks/db/migrate/006_add_preferences_to_user_table.rb b/tracks/db/migrate/006_add_preferences_to_user_table.rb index 8f9ad2d7..38f2781e 100644 --- a/tracks/db/migrate/006_add_preferences_to_user_table.rb +++ b/tracks/db/migrate/006_add_preferences_to_user_table.rb @@ -3,7 +3,7 @@ class AddPreferencesToUserTable < ActiveRecord::Migration add_column "users", "preferences", :text @users = User.find(:all) @users.each do |u| - u.preferences = { "date_format" => "%d/%m/%Y", "week_starts" => "1", "no_completed" => "5", "staleness_starts" => "7", "due_style" => "1", "admin_email" => "butshesagirl@rousette.org.uk", "loginhash" => "change-me"} + u.preferences = { "date_format" => "%d/%m/%Y", "week_starts" => "1", "no_completed" => "5", "staleness_starts" => "7", "due_style" => "1", "admin_email" => "butshesagirl@rousette.org.uk"} u.save end end diff --git a/tracks/doc/README_FOR_APP b/tracks/doc/README_FOR_APP index e572f866..19b6247a 100644 --- a/tracks/doc/README_FOR_APP +++ b/tracks/doc/README_FOR_APP @@ -40,7 +40,11 @@ In the following, I'm assuming that you're using MySQL and the built-in WEBrick cd /PATHTO/TRACKS rake setup_tracks +* Open the file config/environment.rb and look at the last line which should read: + SALT = "change-me" + +Change the word change-me to something else of your choosing. This string will be used as a 'salt' to encrypt your password and make it a bit more secure. * Run 'rake migrate', which will create the necessary tables in your database, including some required contents: cd /PATHTO/TRACKS @@ -77,7 +81,11 @@ Then cd into the db directory and run rake migrate. This should create the datab cd /PATHTO/TRACKS rake setup_tracks +* Open the file config/environment.rb and look at the last line which should read: + SALT = "change-me" + +Change the word change-me to something else of your choosing. This string will be used as a 'salt' to encrypt your password and make it a bit more secure. * If you are using MySQL or Postgresql, you can use the rake migrate task to update your tables. At your command line: cd /PATHTO/TRACKS @@ -98,7 +106,11 @@ Then cd into the db directory and run rake migrate. This should create the datab cd /PATHTO/TRACKS rake setup_tracks +* Open the file config/environment.rb and look at the last line which should read: + SALT = "change-me" + +Change the word change-me to something else of your choosing. This string will be used as a 'salt' to encrypt your password and make it a bit more secure. * The rake task upgrade_sqlite_db.rake (in tracks/lib/tasks) will help you to upgrade your database before running 'rake migrate' to make the appropriate changes to the tables. In lines 4-6 of that file, you'll find some variables (old_db, new_db and cmd) that you'll need to change appropriately for your setup. old_db is the filename of your old version 1.03 database, new_db is the filename you'd like to give to the new database, and cmd is sqlite or sqlite3 depending on which verison you're using. * Save the file after making the changes, then - in the root of your tracks directory - issue the command rake upgrade_sqlite_db. You should get a message that your new db has been created, and some temporary files created. You need to check the new database to make sure that it has sensible contents. In particular, check that the 'user_id' field in the todos, contexts and projects tables have the value of '1' (i.e. they are owned by your admin user, who should have an id of 1).